Re: Authenticate to OpenLDAP using PAM

[Tony Earnshaw <tonye@billy.demon.nl>]

ons, 07.04.2004 kl. 20.42 skrev ms419@freezone.co.uk:

> I would like to authenticate to my OpenLDAP server in the same way I 
> authenticate when I login (using PAM). After googling, I conclude most 
> people are interested in the reverse: Using LDAP to authenticate when 
> they login.

Most people? Postfix smtp auth is most interesting to Postfix people;
they usually don't give a grunt about pam (well, not quite true, but in
many cases so). Me, I insist on both Openldap and pam authentication
within the same DSA. But both are separate mechanisms, requiring
different procedures.

>  I've also read 
> "http://www.openldap.org/doc/admin22/security.html";, but it's not clear 
> to what "user" and "password" correspond ...

This would be para. 9 in the admin guide (I have the single html
version). It has a factor in common to a pam authorization, though both
use different mechanisms.  A "user" would be an entity authenticating to
an LDAP server and a "password" would be the secret shared between that
entity and the LDAP server (hopefully no-one else). That much both
mechanisms have in common.

> Specifically, can the "user" and "password" supplied to the "simple" 
> OpenLDAP authentication method be checked using PAM?

Yes.

> More generally, how can I authenticate to OpenLDAP using PAM?

By making use of Padl's pam_ldap (generally coupled with the Padl
nss_ldap) module. It depends on what OS you use, many OSs include this
as standard (Slackware and Debian Linux may not - I don't use or know
either). More details about the pam mechanism at Padl's pam_ldap and
nss_ldap mailing lists, avalable from the www.padl.org url.

--Tonni

-- 
Kattekots op de vloer
na de moeë thuiskomst
weinig walg
getrouw als kind
de kat heet welkom.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl